Automated Characterization of Network Traffic

ABSTRACT

Automated characterization of network traffic is described herein. A method may include compiling network traffic data based on received network traffic, preparing a network traffic characterization based on the network traffic data, and generating outgoing network traffic scripts based on the network traffic characterization. A method may also include capturing network traffic and generating test network traffic based on the scripts. A network testing system on which the method may be executed may include one or more chassis and/or computing devices, each having one or more network cards. The chassis and/or computing devices may be connected to one or more networks and to one another. The networks may include a production network and a test network. A system may include a data collector, a characterization engine, a script generator, and a traffic generator.

RELATED APPLICATION INFORMATION

This patent claims priority from Utility patent application Ser. No. 10/651,427 filed Aug. 29, 2003, entitled “AUTOMATED CHARACTERIZATION OF NETWORK TRAFFIC”, which claims priority to Provisional Application No. 60/472,549 filed May 21, 2003, entitled “ANALYSIS, MODELING AND GENERATION OF NETWORK TRAFFIC”, both of which are incorporated herein by reference.

NOTICE OF COPYRIGHTS AND TRADE DRESS

A portion of the disclosure of this patent document contains material, which is subject to copyright protection. This patent document may show and/or describe matter, which is or may become trade dress of the owner. The copyright and trade dress owner has no objection to the facsimile reproduction by anyone of the patent disclosure as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all copyright and trade dress rights whatsoever.

BACKGROUND

1. Field

This disclosure relates to networks and network traffic.

2. Related Art

Networks such as the Internet provide a variety of data communicated using a variety of network devices including servers, routers, hubs, switches, and other devices. Before placing a network into use, the network, including the network devices included therein, may be tested to ensure successful operation. Network devices may be tested, for example, to ensure that they function as intended, comply with supported protocols, and can withstand anticipated traffic demands.

To assist with the construction, installation and maintenance of networks and network devices, networks may be augmented with network analyzing devices, network conformance systems, network monitoring devices, and network traffic generators, all which are referred to herein as network testing systems. The network testing systems may allow for the sending, capturing and/or analyzing of network communications.

Current network traffic analysis tools and traffic generation systems exist as separate entities. Several techniques for gathering and analyzing network data exist. These techniques include direct playback of recorded data and synthetic generation of packet based traffic. Current systems do not combine statistical analysis and modeling with automatic scripting and traffic generation capabilities.

In some network testing systems, the tasks of gathering, analyzing and modeling network traffic data, creating scripts based on the network traffic data, and generating synthetic network traffic involve comprehensive human intervention. The manually intensive tasks call for highly trained personnel skilled in using a number of products. The users of current network testing systems must understand the input and output specifications of each of the separate components of the systems used throughout the testing process. The inconvenience of using several products for network testing is exacerbated by the risk of human errors at multiple instances during the testing process. The errors resulting from use of current network testing systems, the personnel needed to run and/or manage current network testing systems, and the personnel required to operate current network testing systems result in large operational costs. In addition, in simplifying current network testing systems to reduce human introduced errors and to demand less knowledge from users, the capabilities of current network testing systems have been reduced.

DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of an environment in which the systems and methods described herein may be implemented.

FIG. 2 is a block diagram of a second environment in which the systems and methods described herein may be implemented.

FIG. 3 is a block diagram of a third environment in which the systems and methods described herein may be implemented.

FIG. 4A is a functional block diagram of operating units used in an implementation of a system described herein.

FIG. 4B is a flowchart of actions taken by the operating units shown in FIG. 4.

FIG. 5 is a second functional block diagram of operating units used in an implementation of a system described herein.

FIG. 6 is a block diagram of a network testing system.

FIG. 7 is a flow chart of a method described herein.

FIG. 8 is a flow chart of actions taken in filtering network traffic.

FIG. 9 is a flow chart of actions taken in filtering Internet Protocol data units.

FIG. 10 is a network traffic summary table.

FIG. 11 is a representation vector of a TCP data unit.

FIG. 12 is a representation vector of an ICMP data unit.

DETAILED DESCRIPTION

Throughout this description, the embodiments and examples shown should be considered as exemplars, rather than limitations on the elements claimed below.

As described herein, network traffic statistical analysis and statistics gathering, network traffic modeling, network traffic script creation and/or network traffic generation are automated to reduce user involvement in and improve network testing, network device testing and network application testing. The analysis, modeling and profiling of network traffic allows for the automatic generation of network traffic scripts and/or network traffic that statistically reflects the behavior of real traffic in a network.

Environment

Referring to FIG. 1, there is shown a block diagram of an environment in which the systems and methods described herein may be implemented. The environment includes network testing chassis 110 and 120 coupled to one another via a dedicated line or network 150, plural network capable devices 130, and a network 140 to which each of the network testing chassis may be coupled.

The network 140 may be a local area network (LAN), a wide area network (WAN), a storage area network (SAN), or a combination of these. The network 140 may be wired, wireless, or a combination of these. The network 140 may include or be the Internet. The network 140 may be public or private, and may be a segregated test network. The network 140 may be comprised of numerous nodes providing numerous physical and logical paths for data to travel.

Communications on the network 140 may take various forms, including frames, cells, datagrams, packets or other units of information, all of which are referred to herein as data units. The network testing system 100 and the network capable devices 130 may communicate simultaneously with one another, and there may be plural logical communications links between the network testing chassis 110 and 120 with a given network capable device 130. Those data units that are communicated over a network are referred to herein as network traffic.

The network testing chassis 110 and 120 may include or be one or more of a traffic generator, a performance analyzer, a conformance validation system, a network analyzer, a network management system, and/or others. The network testing chassis may include an operating system such as, for example, versions of Linux, Unix and Microsoft Windows. The network testing chassis 110 and 120 may include one or more network cards 114 and 124, and back plane 112 and 122. The network testing chassis 110 and 120 and/or one or more of the network cards 114 and 124 may be coupled to network 140 via one or more connections 118 and 128. Connections 118 and 128 may be wired or wireless. The network testing chassis 110 and 120 may be coupled for communication directly to one another over line 150. The network testing chassis 110 and 120 may also communicate with one another over network 140.

The network testing chassis 110 and 120 may be in the form of a card rack, as shown in FIG. 1, or may be an integrated unit. Alternatively, each of the network testing chassis may comprise a number of separate units cooperating to provide traffic generation, traffic and/or network analysis, network conformance testing, and other tasks.

The network testing chassis 110 and 120 and the network cards 114 and 124 may support one or more well known higher level communications standards or protocols such as, for example, the User Datagram Protocol (UDP), Transmission Control Protocol (TCP), Internet Protocol (IP), Internet Control Message Protocol (ICMP), Hypertext Transfer Protocol (HTTP), address resolution protocol (ARP), reverse address resolution protocol (RARP), file transfer protocol (FTP), Simple Mail Transfer Protocol (SMTP); and may support one or more well known lower level communications standards or protocols such as, for example, the 10 Gigabit Ethernet standard, the Fibre Channel standards, and one or more varieties of the IEEE 802 Ethernet standards, Asynchronous Transfer Mode (ATM), X.25, Integrated Services Digital Network (ISDN), token ring, frame relay, Point to Point Protocol (PPP), Fiber Distributed Data Interface (FDDI), may support proprietary protocols, and may support other protocols.

The term network card encompasses line cards, test cards, analysis cards, network line cards, load modules, interface cards, network interface cards, data interface cards, packet engine cards, service cards, smart cards, switch cards, relay access cards, CPU cards, port cards, and others. The network cards may be referred to as blades. The network cards 114 and 124 may include one or more computer processors, field programmable gate arrays (FPGA), application specific integrated circuits (ASIC), programmable logic devices (PLD), programmable logic arrays (PLA), processors and other kinds of devices. The network cards may include memory such as, for example, random access memory (RAM). In addition, the network cards 114 and 124 may include software and/or firmware.

At least one network card 114 and 124 in each of the network testing systems 110 and 120 may include a circuit, chip or chip set that allows for communication over a network as one or more network capable devices. A network capable device is any device that may communicate over network 140. The network cards 114 and 124 may be connected to the network 140 through one or more connections 118 and 218 which may be wire lines, optical fiber cables, wirelessly and otherwise. Although only one each of connections 118 and 218 are shown, multiple connections with the network 140 may exist from the network testing chassis 110 and 120 and the network cards 114 and 124. Each network card 114 and 124 may support a single communications protocol, may support a number of related protocols, or may support a number of unrelated protocols. The network cards 114 and 124 may be permanently installed in the network testing systems 110 and 120, may be removable, or may be a combination thereof. One or more of the network cards 114 and 124 may have a resident operating system included thereon, such as, for example, a version of the Linux operating system. Each of the network testing chassis 110 and 120 may include a CPU card that allows the chassis to also serve as a computer workstation.

The back planes 112 and 122 may serve as a bus or communications medium for the network cards 114 and 124. The back planes 112 and 122 may also provide power to the network cards 114 and 124.

The network capable devices 130 may be any devices capable of communicating over the network 140. The network capable devices 130 may be computing devices such as workstations, personal computers, servers, portable computers, personal digital assistants (PDAs), computing tablets, and the like; peripheral devices such as printers, scanners, facsimile machines and the like; network capable storage devices including disk drives such as network attached storage (NAS) and SAN devices; and networking devices such as routers, relays, firewalls, hubs, switches, bridges, traffic accelerators, and multiplexers. In addition, the network capable devices 130 may include appliances such as refrigerators, washing machines, and the like as well as residential or commercial HVAC systems, alarm systems, and any other device or system capable of communicating over a network. One or more of the network capable devices 130 may be devices to be tested and may be referred to as devices under test.

Each of network testing chassis 110 and 120 as well as one or more of the network cards 114 and 124 may include software that executes to achieve the techniques described herein. As used herein, the term software involves any instructions that may be executed on a computer processor of any kind. The software may be implemented in any computer language, and may be executed as object code, may be assembly or machine code, a combination of these, and others. The term application refers to one or more software modules, software routines or software programs and combinations thereof. A suite includes one or more software applications, software modules, software routines or software programs and combinations thereof. The techniques described herein may be implemented as software in the form of one or more applications and suites and may include lower level drivers, object code, and other lower level software.

The software may be stored on and executed from any local or remote machine readable medium such as, for example, without limitation, magnetic media (e.g., hard disks, tape, floppy disks), optical media (e.g., CD, DVD), flash memory products (e.g., memory stick, compact flash and others), and volatile and non-volatile silicon memory products (e.g., random access memory (RAM), programmable read-only memory (PROM), electronically erasable programmable read-only memory (EEPROM), and others). A storage device is any device that allows for the reading from and/or writing to a machine readable medium.

The network testing chassis 110 and 120 may each be augmented by or replaced by one or more computing devices having network cards included therein, including, but not limited to, personal computers and computer workstations.

FIG. 2 is a block diagram of a second environment in which the systems and methods described herein may be implemented. Network testing chassis 210 and 220 may be coupled via dedicated communication lines 252 and 254 with a computer workstation 250. The computer workstation 250 may be any computing device. The computer workstation 250 may include a storage device to access a storage medium on which software that implements the techniques described herein is stored. The software that implements the techniques described herein may be downloaded from the workstation 250 to each of network testing chassis 210 and 220 and the network cards included therein. The workstation 250 may be located physically adjacent to or remote to network testing chassis 210 and 220. Similarly, network-testing chassis 210 and 220 may be located physically adjacent to or remote to one another.

Network testing chassis 210 may be coupled to a production network 260 via one or more connections 268. The term “production network” as used herein means a network that is up and running in the regular course of business. As such, a production network includes network traffic emanated from and between end users and other client devices and servers such as web servers and application servers, as well as other network capable devices 270 attached to or otherwise communicating over production network 260. Network testing chassis 210 may listen to the traffic on and capture or review network traffic from production network 260.

Network testing chassis 220 may be coupled to a test network 280 via one or more connections 228. The term “test network” as used herein means any network that is to be tested, including private segregated networks and publicly accessible networks. The test network 280 may include one or more network capable devices 290 which may be tested and may be referred to as devices under test. Network testing chassis 220 may send or otherwise transmit or communicate data units directed to network capable devices 290 over test network 280.

Each of the network testing chassis 210 and 220 may include a CPU card that allows the chassis to serve as a computer workstation. Storage devices and storage media such as hard disk drives may be included in testing chassis 210 and 220 and included on and/or coupled to the chassis, the CPU cards and/or network cards included therein.

FIG. 3 is a block diagram of a third environment in which the systems and methods described herein may be implemented. Network testing chassis 310 may be coupled via communication line 368 to receive, review and/or capture network traffic from devices 370 on production network 360. The network testing chassis 310 may be coupled via communication line 338 to transmit network traffic to devices 390 on test network 380.

The network testing chassis 310 may have included therewith a display 316 and user input devices such as keyboard 312 and mouse 314, as well as other user input devices including, for example, pens and trackballs, all of which may be coupled to a CPU card included in the chassis. A hard disk drive or other storage device may be included in network testing chassis 310 to store software that implements the techniques described herein. The software that implements the techniques described herein may be communicated from the CPU card to the network cards included in the network testing chassis 310. The network testing chassis 310 may be located physically adjacent to or remote to the devices 370 in the production network 360 and devices 390 in the test network 380.

Overview

FIG. 4A is a functional block diagram of operating units used in implementing the system and methods described herein. FIG. 4B is a flow chart of actions taken by the operating units shown in FIG. 4A. A network testing system 400 may include collectors 410 to capture, collect, filter and perform other operations on network traffic collected from network 460, as shown in block 412. The collectors may compile network traffic data. The collectors may be coupled to and pass collected and filtered network traffic to the characterization unit 420. The characterization unit 420 may analyze, model, profile, sort and perform other operations on the collected and filtered network traffic and/or the network traffic data to create a network traffic characterization, as shown in block 422.

Feedback 470 may be used by the characterization unit 420 to request that the collectors 410 collect additional kinds or types of data concerning specific kinds or types of network traffic. The characterization unit 420 may, based on analysis of the network traffic data, automatically adjust the network traffic data collected and compiled by the collectors 410. That is, the characterization unit 420 may request via feedback 470 that the collectors 410 collect or maintain additional information concerning the network traffic. The characterization unit 420 may also request via feedback 470 that the collectors 410 limit the information collected to information concerning specified kinds or types of the network traffic. As the characterization unit 420 learns additional information about the network traffic, the characterization unit 420 may via feedback 470 successively request more detailed information about more limited sets or kinds of data units.

The characterization unit 420 may be coupled to a script generator 430. The script generator 430 may create traffic transmission scripts based on the network traffic characterization, as shown in block 432. The script generator 430 may be coupled to traffic generator 440. The traffic generator 440 may generate test network traffic onto network 460 according to the scripts created by the script generator 430, as shown in block 442. The test network traffic may be used to test network capable devices coupled with or otherwise accessible by network 460 and to test software included on the network capable devices, including application software.

A manager 450 may be coupled to each of the collectors 410, characterization unit 420, script generator 430 and traffic generator 440. The manager 450 may provide a user interface by which a user may access information concerning the collected network traffic and network traffic data, the scripts and other information made accessible to users by each of the other components. In addition, the manager 450 may provide a user an interface to define the kinds or types of network traffic the collectors 410 may collect and filter, may allow a user to edit or augment the network traffic characterization, may allow a user to edit or augment the scripts generated by the compiler 430, and may allow a user to perform other tasks.

In addition, the manager 450 may query the traffic generator 440 to learn the capabilities of the traffic generator 440. Based on the traffic generating capabilities of the traffic generator 440, the manager 450 may provide initial settings and otherwise control the scope, breadth and depth of the network traffic and network traffic data sought, collected and captured by the collectors 410 of the network traffic. The manager may also control the scope, breadth and depth of the scripts generated by the script generator 430 based on the capabilities of the traffic generator 440.

FIG. 5 is a second functional block diagram of operating units used in an implementation of a system described herein. Collectors 510 may capture and collect network traffic from network 560. Collectors 510 may also receive network traffic files 512 and/or network traffic data 514 from other collectors (not shown) external to network testing system 500 which may be local or remote network testing systems, packet sniffers, and other devices and systems. The external collectors may provide traffic files 512 that include data units from a capture group of network traffic, and may provide traffic data 514 for data units from a capture group of network traffic. In addition collectors 510 may receive and/or retrieve log files from local or remote network testing systems, and network capable devices, including serves, routers, gateways and others. The collectors 510 may obtain access to the log files 516 by presenting a password or other means of authenticating access to the log files. Collectors 510 may be replaced by external collectors (not shown) which pass network traffic files 512, network traffic data and/or log files 516 directly to characterization unit 520.

The collectors 510 may prepare network traffic data and pass the network traffic data to a characterization unit 520. The collectors 510 may also pass or otherwise make available the network traffic data 518 to an external report generator 552 that may be located local or remote to the network testing system 500. The external report generator 552 may be a software program running on a computing device that may be or include a network testing system. The external report generator 552 may allow a user such as a network testing administrator to view the network traffic data via a graphical user interface or other user interface.

The characterization unit 520 may receive the network traffic data from the collectors 510 and prepare a network traffic characterization 522 that includes network traffic statistics and a network traffic model. The characterization unit 520 may pass or otherwise make available the network traffic characterization to the script generator 530. In addition, the characterization unit 520 may pass or otherwise make available the network traffic characterization 522 to the external report generator 552. The external report generator 552 may allow a user such as a network testing administrator to view the network traffic characterization via a graphical user interface or other user interface.

The characterization unit 520 may also control and define the type and kind of filters used in collectors 510. By doing so, the characterization unit 520 may refine the scope, breadth and depth of the network traffic and network traffic data collected, captured and reviewed by the collectors 510. As above with regard to characterization unit 420 and feedback 470, feedback 570 may be used by the characterization unit 520 to request that the collectors 510 collect data concerning specific kinds or types of network traffic. The characterization unit 520 may, based on analysis of the network traffic data, use feedback 570 to automatically adjust the network traffic data collected and compiled by the collectors 510. As the characterization unit 520 learns additional information about the network traffic, the characterization unit 520 may via feedback 570 successively request more detailed information about more limited sets or kinds of data units in the network traffic.

The script generator 530 may create network traffic generation scripts based on the network traffic characterization. The script generator may pass or otherwise make available the network traffic generation scripts 532 to the traffic generator 540 included in network testing system 500. The traffic generator 540 may, based on the network traffic generation scripts, prepare and transmit outgoing network traffic onto network 560. The script generator may also pass or otherwise make available the network traffic generation scripts 532 to an external traffic generator 542, which may be located local or remote to the network testing system 500. The external traffic generator 542 may be a software program running on a computing device that may be or include a network testing system. The traffic generator 540 may be replaced by or augmented by the external traffic generator 542. The external traffic generator 542 may, based on the network traffic generation scripts 532, prepare and transmit outgoing network traffic onto network 560 independent of traffic generator 540.

Systems

FIG. 6 is a block diagram of a network testing system 600. The network testing system 600 may be coupled between a production network 602 and a test network 652. The network testing system may include incoming production network traffic chassis 604 and outgoing test network chassis 654. Network cards included in one or more of chassis 604 and 654 may execute software to achieve the functionality of the network testing system 600. The functional units of the network testing system 600 may include one or more data collectors 612, a characterization engine 620, script generators 630, traffic generators 640 and a manager 660.

Data collectors 612 review network traffic to gather network traffic data regarding the network traffic on the production network 602. The data collectors may review, capture and otherwise obtain network traffic and network traffic data in capture groups. As used herein, a capture group is a group of data units or network traffic data concerning the data units which may be collected either over a system defined period of time (e.g., 3 minutes, 30 minutes, 3 hours), until a memory storage area is full, or until a user or system specified threshold has been reached.

The network traffic data may include protocol distribution data, length distribution data, transaction distribution data, header information, and payload data culled from the collected network traffic.

The protocol distribution data may enumerate the protocols that are present in the collected network traffic. A raw count of data units for each of a group of protocols may be maintained to compile the protocol distribution data. A simple histogram may be presented via viewer 670 of manager 660 to graphically show the protocol distribution of network traffic. Protocol distribution data compilation may involve multi-segment analysis such as iterative passes or iterative collection of multiple capture groups to evaluate the proportion of network traffic that is communicated according to various data communications protocols.

The length distribution data may be compiled for each protocol, for certain size data units, for certain rate or speed characteristics of data units collected in the network traffic. The transaction distribution data may be compiled based on a count of the most popular kinds or types of transactions that are included in the data units that comprise the collected network traffic. For example, the N most common transaction data units may be counted for one or more protocol data units, where N is 4, 8, 10, 16, 20, 32, or any other number. Header information such as source or destination addresses, port designations, and other header data may be counted or maintained such that the most common addresses, ports or most common header information is maintained. Payload data may also be maintained to categorize the different network applications that are represented by the network traffic. The data collectors 612 may maintain a count of the most common network applications. Data units having a specified combination of header and/or payload attributes may be maintained.

To assist with the statistical profiling of network traffic by the characterization engine 620, the data collectors 612 may capture network traffic from the production network 602 and count in real time the numbers of data units, the number of bytes per data unit, and maintain other raw data concerning the network traffic. Data collectors 612 may perform network traffic data gathering directly at the kernel level, in hardware such as FPGAs and in firmware. This provides for fast collection of network traffic data. Real-time data collection may be used to generate statistically relevant information on the fly, at or close to line rate. As used herein, line rate means the speed at which the network traffic travels on a physical or PHY layer on which it is being communicated. Wire speed is a synonym for line rate.

The data collectors 612 may be comprised of one or more units, systems or plug-in modules, each of which may specialize in obtaining data concerning different kinds of data units that comprise the network traffic. Multiple data collection units may be used to increase the richness of collected network traffic and the network traffic data culled from the collected network traffic and/or to increase the performance of the data collectors 612. In some circumstances, a first data collection unit may be used initially to determine the traffic mix, and multiple specialized data collection units may be applied in sequence. The multiple specialized data collection units may each focus on data units that have particular characteristics, such as network layer protocol, application, destination address, and others. Multiple data collectors 612 may also be applied in parallel or concurrently to review the contents of different kinds of data units, or to review different portions of the same kinds of data units.

Using multiple data collection units may increase the overall complexity of the system. A single data collection unit may gather sufficient information to yield the statistics. A single data collection unit may also be used for simplicity.

The data collectors 612 may use one or more specialized network cards with data unit scanners to gather raw statistics about the data units included in the network traffic on production network 602. The data unit scanners may be implemented at the operating system level, in hardware such as FPGAs, and in firmware. The data unit scanners allow the data collectors 612 to gather multiple characteristics of the data units included in the network traffic simultaneously, at or close to line rate. These multiple characteristics of the network traffic may be used to increase the breadth and/or depth of the statistics to be computed by the sort and statistics engine 622 and to increase the accuracy of the modeling of the network traffic by the modeling engine 624.

The filters 614 and translators 616 may be included with the data collectors 612. When the data collectors 612 include multiple data collection units, each of the data collection units may present output in differing formats. Translators 616 may be included with the data collectors 612 to convert the network traffic data into a uniform format. The uniform format network traffic data may be passed to the characterization engine 620 to which the data collectors 612 are coupled.

The translators 616 included with the data collectors 612 may be applied when a data unit in the production network 602 uses secure protocols, such as, for example, IP Security (IPSec), secure sockets layer (SSL), transport layer security (TLS), and others. The translators 616 may extract the encrypted information, and translate it appropriately.

The filters 614 may be system defined and/or user-defined. The filters 614 may be used for various purposes, such as, for example, to restrict the collected network traffic based on the source or destination addresses, the protocols, or any other data fields specified in the data units. The filters 614 used may be derived from the capabilities of the traffic generators 640. The filters 614 may limit network traffic collection to those kinds or types of data units that the traffic generators 640 are capable of transmitting. The kinds and types of filters 614 included in or active in the data collectors 612 may be controlled by the manager 660 based in part on the capabilities of the traffic generators 640. The filters 614 may also be used to limit data collection to specific network traffic patterns.

The manager 660 may provide an interface to allow a user to create and/or modify filters to be used by the data collectors 612. This may be achieved by the manager 660 providing a user interface to a user via a computer terminal or other computing device. The user interface may also be provided by or in conjunction with the data collectors 612.

The manager 660 may also provide an interface that allows users the ability to view the content of log files or other fields containing network traffic related data on remote servers, routers, and other network devices. The log files that may be viewable include server logs, routing tables and logs, and others. To achieve this access the manager 660 and/or the network testing system 600 may use a password or other authentication means to obtain permission to view the logs on servers, routers, and other network devices.

The characterization engine 620 may include a sort and statistics engine 622, a modeling engine 624, and a traffic profiler 626. The sort and statistics engine 622 may receive network traffic data and basic statistics (e.g., raw count of data units, raw count of data units of particular protocol types, etc.) concerning network traffic in a standardized format from the data collectors 612, and may create a set of network traffic statistics.

The sort and statistics engine 622 may pass the network traffic statistics to the modeling engine 624, and may also pass them to the manager 660. The sort and statistics engine 622 may gather statistics, provide traffic data analysis, and generate user readable reports that may be web-accessible.

The sort and statistics engine 622 may provide an interface to the manager 660 or other external components such as network protocol analyzers to allow a user to examine network traffic statistics in real-time or otherwise. This interface may be provided by or augmented by using libpcap or tcpdump for TCP-like types of traffic. The sort and statistics engine 622 may provide an interface to the manager 660 to allow users to view application layer information.

The modeling engine 624 may create a description of a single capture group or of multiple capture groups of network traffic in the form of a model. The mathematical representation of the observed traffic patterns as a model provides a characterization of the captured network traffic. The input to the modeling engine 624 is the series of assembled network traffic statistics from the sort and statistics engine 622. The statistics may be passed in a file such that only a file name need be passed from the from the sort and statistics engine 622 to the modeling engine 624.

The output of the modeling engine 624 is a model that may be represented as collection of parameters compiled from the network traffic statistics. The parameters include any statistics or other information concerning or derived from the network traffic data, including mean standard deviation, and others regarding addresses, protocols, flags, data unit size, payload size, application included in the data unit, and others. The modeling engine 624 distils a parameterized model that characterizes the traffic based on the network traffic statistics. The modeling engine 624 passes the parameterized model to traffic profiler 626. The modeling engine 624 may report the parameterized model to a user via the manager 660. The modeling engine 624 may allow users to modify the parameterized model via manager 660.

The modeling engine may include a feedback controller 623 to control via feedback 628 the kind and type of information included in the network traffic data by the data collectors 612 and the filters 614, and the scope, breadth and depth of the information compiled and computed by the sort and statistics engine 622. For example, the feedback controller 623 may successively refine the information to be retrieved regarding the network traffic by first requesting all transport layer (layer 3) data units, then requesting all TCP data units, then requesting all HTTP data units, and so on. In this way, the granularity of network traffic data captured, collected and analyzed by the data collectors, the filters 614, and the sort and statistics engine 622 may be increased in successive capture groups. Other successive refining may be achieved based on system defined and/or user defined instructions included in or provided to the feedback controller 623.

The modeling engine 624 may include a model tweaking unit 625 that allows users to adjust the various variables and parameters included in the parameterized model representation process of real traffic.

The modeling engine 624 may sanitize all of the information it maintains regarding the network traffic by removing all private and sensitive information from the data. For example, private and sensitive data such as passwords, user names, banking information, credit card numbers, social security numbers, etc. may be removed by the modeling engine 624. The modeling engine 624 may also remove any other identifying information from the network traffic data and the network traffic model, including, for example, IP addresses, port numbers, payload data, and others.

The modeling engine 624 may construct a parameterized model of network traffic that describes the characteristics of the observed traffic. The parameterized model may be limited to a particular layer of the network. This may be, for example, at layer 7 of the network, which may be application layer, at layer 3 of the network which may be the network layer, and so on. Multiple layers of network traffic may be parameterized, such as for example, layers 3, 4 and 7 of the OSI model, namely the network, transport, and applications layers.

In implementing the modeling engine 624, the level of detail, and the number of degrees of freedom to be used in the preparing the parameterized model of the network traffic may be influenced by the capabilities of the network testing system 600. The ability of the network testing system to generate traffic with current and future hardware, as well as software running on current and future devices may be taken into account when selecting the number of parameters and corresponding levels of accuracy to be referenced by the modeling engine 624. That is, the kinds and types of parameters included in the parameterized model of network traffic by the modeling engine 624 may be controlled by the manager 660 based in part on the capabilities of the traffic generators 640.

The modeling engine 624 may prepare different kinds of parameterized models including basic models, mathematical models, and others.

A basic model may include the distribution of protocols in the network traffic and a select group of specific fields (and/or sub-fields) in the data units of the network traffic for each source address in the data units included in the network traffic. The basic model may also describe the traffic coming from specific points in the network. An example basic model may include, for a given source address, the number of outgoing transport layer or IP packets, the multivariate distribution of IP-protocol, ports, flags, etc, together with packet-size distribution. Another, basic model approach may involve describing the statistics for each user in which statistics concerning all the packets emanating from a single source address may be kept.

A mathematical model may be obtained by using a polynomial representation for the mix of network traffic. Any of a variety of curve fitting techniques may be used to create an expression of the mix of network traffic as a polynomial equation. The polynomial representation for the mix of network traffic may be created using Pareto distribution, Gaussian distribution, decaying exponential distribution, and other techniques. Multiple mathematical models may be used to express various attributes of the network traffic, including, for example, data unit size distribution, data units over time, data unit layer distribution, applications included in data unit distribution, data unit protocol distribution, and others. A complex mathematical model may take into account multiple attributes of the network traffic.

The traffic profiler 626 receives a network traffic model in the form of parameters from the modeling engine 624. The traffic profiler 626 matches the model generated by the modeling engine 624 with pre-defined traffic patterns in the form of traffic archetypes. The traffic profiler 626 may create a traffic profile schema based on the comparison of the parameterized model with the available traffic archetype mixes. There are many potential traffic mixes that may be pre-defined as traffic archetypes including, for example, financial mix, manufacture mix, Internet backbone mix, and other patterns. Additional traffic archetypes may be obtained from volunteering customers, from studies, and from other sources. A benefit of providing a collection of traffic archetypes includes the ability of the network testing system to quickly approximate the network traffic mix by using a corresponding archetype for the corresponding industry segment or network type of a user.

The traffic profiler 626 may include a profile editor 627. The profile editor 627 may allow users to modify and adjust traffic archetypes and the traffic profile schema to better represent traffic mixes and variations in network traffic profiles.

The script generators 630 receive the traffic profile schema created by traffic profiler 626 and generate scripts that will be used by the traffic generators 640 to generate network traffic. The script generators 630 may include one or more plug-ins, modules or sub-units that each contain a separate individual compiler. Each script generating compiler may create a specific type of script to generate a particular kind of network traffic. The script generator plug-ins may specialize in preparing scripts for various kinds of network traffic, including, for example, stateless streams such as TCP and HTTP, perfstack and fullstack, and others. Script generator plug-ins may be added or removed. There may be one script generating compiler for each supported network communications protocol.

The traffic generators 640 receive as input the generated aggregation of scripts prepared by the script generators 630. The traffic generators 640 may produce as output network traffic in the form of a single sequence of data units described by the scripts. The single sequence of network traffic may be a single stream. A stream may be any series of related packets. The single sequence of network traffic is transmitted into the test network 652.

The traffic generators 640 may also generate multiple sequences and multiple steams of data units. The traffic generators 640 may include a scheduler such as a stream multiplex scheduler. The scheduler may multiplex the various streams or other groupings of data units that represent the different types of network traffic modeled by the scripts. The scheduler may coordinate any number of streams or other groupings of network traffic; for example, 160 separate streams may be aggregated as the generated network traffic.

If the number of data unit types is greater than a system defined maximum, such as for example, 128, 160, 256, and others, the scripts may be analyzed such that the number of data unit types is reduced, thus reducing the resolution of the test network traffic. That is, fewer types of data units than the types included in the scripts will be transmitted.

The manager 660 may generate reports, graphics, and charts describing the incoming network traffic data unit mix, the overall throughput of the production network 602, application throughput seen on the production network 602, and other characteristics of the production network 602 and the network traffic that populates the production network 602

The manager 660 may receive information from multiple sources, such as one or more of the data collectors 612, the sort and statistics engine 622, the modeling engine 624 and the traffic profiler 626. The manager 660 may receive may receive statistical data and other data from one or more of the data collectors 612, the sort and statistics engine 622, the modeling engine 624 and the traffic profiler 626. The manager 660 may format the statistical data for human or machine use. The manager 660 may format the statistical data, prepare it for display and/or prepare the statistical data in an appropriate format for output. In addition, the manager 660 may provide an interface that allows users the ability to view the content of server logs on remote servers.

With regard to all of the network testing systems described herein, additional and fewer units, chassis, blocks, communication lines, modules or other arrangement of software, hardware, firmware and data structures may be used to achieve the system and techniques described herein.

Methods

FIG. 7 is a flow chart of a method. Data units may be collected from a network, as shown in block 710. The network is typically a production network. The data units are filtered, as shown in block 714. The filtering may be achieved by filters that may be system defined and/or user defined. The filters may limit collection and review of data units based on specified characteristics such as size of the data units, layer of the data units, application that sent the data unit, protocol included in the data unit, source and/or destination addresses in the data unit, port specified in the data unit, flags specified in the data unit, and others. Pertinent information from each collected data units is obtained and saved as network traffic data, as shown in block 716. The pertinent information may be obtained by various plug-ins, modules or units, each of which may store the pertinent information in varying formats. The pertinent information for each of the data units is then translated into a uniform format, as shown in block 720. Statistics for the network traffic are then computed, as shown in block 724.

The network traffic data may be sorted to determine the data unit distribution, as shown in block 730. The distribution of network traffic may be evaluated by data unit size, data unit protocol type, data unit layer, data unit application, and other data unit attributes. A model that parameterizes the collected data units as a parameterized model is distilled, as shown in block 734. Private and other sensitive information may be removed from the network traffic data and/or the parameterized model, as shown in block 736. The parameterized model may be matched with pre-set network traffic archetype mixes to determine a profile of the network traffic, as shown in block 740. Outgoing data unit generation scripts may be prepared based on the network traffic profile, as shown in block 744. Outgoing data units may be generated based on the data unit generation scripts, as shown in block 750.

FIG. 8 is a flow chart of filtering collected network traffic. Raw network traffic is received, as shown in block 810. The kind of data unit is then analyzed, as shown in block 820. The actions taken may then depend on the kind of data unit being reviewed. In various implementations, various actions may be taken based on whether the kind of data unit is a frame relay data unit, as shown in block 822, a token ring data unit, as shown in block 824, an ISDN data unit, as shown in block 826, an X.25 data unit, as shown in block 828, an Ethernet data unit, as shown in block 830, an FDDI data unit, as shown in block 832, an ATM data unit, as shown in block 834, a PPP data unit, as shown in block 836, an “other” kind of data unit, as shown in block 838, and a “wildcard” data unit, as shown in block 840. As used herein, “other” refers to known but kinds or types of data units that a fine granularity of information need not be maintained. As used herein, “wildcard” refers to unknown kinds or types of data units that are found in the network traffic.

When the kind of data unit is Ethernet, as shown in block 830, the data unit is further classified based on its type, as shown in block 850. Types of Ethernet data units include ARP data units, as shown in block 852, RARP data units, as shown in block 854, IP data units, as shown in block 860, “other” types of Ethernet data units, as shown in block 856, and “wildcard” or unknown types of Ethernet data units, as shown in block 858. When the type of Ethernet data unit is IP, the flow of actions continues with block 910 of FIG. 9. Other kinds of data units may be filtered in a similar, specialized manner based on the attributes of the particular kind of data unit.

FIG. 9 is a flow chart of actions taken in filtering IP data units. When an IP data unit is collected, as shown in block 910, the pertinent information for which statistics will be obtained is determined based on the kind of IP data unit, as shown in block 920.

If the kind of IP data unit is TCP, as shown in block 930 a history of the port used is maintained, as shown in block 932. Parameterized information about the TCP data unit is prepared, as shown in block 933. The parameterized information about the TCP data unit may be added to a traffic summary table, as shown in block 934, or other data structure used to store network traffic summary data. A network traffic summary table may store the network traffic data for each of the data units in a capture group.

If the kind of IP data unit is UDP, as shown in block 940 a history of port traffic is maintained, as shown in block 942. Parameterized information about the UDP data unit is prepared, as shown in block 943, and the parameterized information about the UDP data unit is added to the network traffic summary table, as shown in block 944.

If the kind of IP data unit is ICMP, as shown in block 950, history of the type of ICMP data unit is maintained, as shown in block 952. Parameterized information about the ICMP data unit is prepared, as shown in block 953, and the parameterized information about the ICMP data unit is added to the network traffic summary table, as shown in block 954.

If the kind of IP data unit is “other”, as shown in block 960 a history of pertinent data fields of these other IP data units is maintained, as shown in block 962. Parameterized information about the other IP data unit is prepared, as shown in block 963, and the parameterized information about the other data unit is added to the network traffic summary table, as shown in block 964.

If the kind of IP data unit is “unknown” it may be considered a “wildcard”, as shown in block 970. Parameterized information about the unknown kind of IP data unit is prepared, as shown in block 973, and the parameterized information about the unknown data unit is added to the network traffic summary table, as shown in block 974.

With regard to FIGS. 7, 8 and 9, additional and fewer steps may be taken, and the steps as shown may be combined or further refined to achieve the methods described herein.

Data Storage

FIG. 10 is a network traffic summary table 1000. The summary table serves to summarize pertinent information concerning the network traffic. The summary table may also be considered a traffic distribution table. Basic raw data concerning data units included in the network traffic may be maintained in one or more data structures that may be viewed as a table. One summary table may be created for each capture group. The size of the summary tables may be system defined or user customizable. The summary table provides a parameterized view of network traffic in a particular capture group, and may be used to store data concerning multiple capture groups, or a summary of all captured network traffic.

The network traffic summary table 1000 may include source and destination IP addresses 1010 and 1012 contained in a data unit, protocol information 1016 such as the protocol 1020 used in the data unit, a port designator or port type 1022 specified in the data unit, and flags 1024 specified in the data unit. Example protocols include TCP, UDP, ICMP, and others. The protocols may correspond to the type of protocols discussed above regarding FIGS. 8 and 9. The port designator 1022 may be a range of ports, a list of ports, or a single port. The flags 1024 may vary based on the type of protocol 1020.

The number of data units 1030 having a size in a particular range may be maintained according to bins. That is, for those data units having particular IP addresses 1004 and/or the same protocol information 1016, a count of the data units by size may be maintained. For example, a first bin 1032 may include the raw count of the number of data units having size 1-63 bytes, a second bin 1034 may include the raw count of the number of data units having size 64-128 bytes, a third bin 1036 may include the raw count of the number of data units having size 128-255 bytes, a fourth bin 1038 may include the raw count of the number of data units having size 256-511 bytes, a fifth bin 1040 may include the raw count of the number of data units having size 512-1023 bytes, a sixth bin 1042 may include the raw count of the number of data units having size 1024-1518 bytes, and a seventh bin 1044 may include the raw count of the number of data units having the maximum size data unit.

To more efficiently store the information maintained in the summary table, the summary table may be implemented to conserve memory space usage, such as, for example, by using a hash table, and other data storage techniques.

In addition to or in place of the summary table, parameterized vectors of information based on each type of data unit may be maintained. For example, if the types of data units include TCP, UDP and ICMP data units, parameterized TCP representation vectors, parameterized UDP representation vectors, and parameterized ICMP representation vectors may be used, as well as others.

FIG. 11 is a representation vector 1100 of a TCP data unit. The representation vector 1100 may include fields for the layer 2 protocol type 1110, the layer 3 protocol type 1112, the type of IP service 1114, the source IP address 1116, the destination IP address 1118, the minimum TCP port 1120 which is the minimum of the source and destination TCP ports, a source/destination port bit 1122, a stuffing bit 1124, TCP flags 1126, and the data unit size 1128. The representation vector 1100 may be 128 bits wide. The size of the representation vector may vary in various implementations based on the information to be captured and other reasons, such as CPU word size, available memory for storage, and others. The representation vector 1100 is shown with designated 32 bit portions because a processor on a network card or a processor executing software to achieve the techniques described herein may have a 32-bit word. Other processors having other word sizes (e.g., 8, 16, 64 and others) may also be used.

The representation vector 1100 shown depicts an example an IP version 4 TCP data unit sent from IP address 10.0.0.1 to IP address 10.0.0.2, destination TCP port 80, using a standard IP type of service. In this example, layer-2 protocol type is IP v4 with the hexadecimal code 0x0800. Obtaining this information may require some processing. For example, the minimum TCP port requires extracting information regarding two ports (source and destination), and comparing them to find the minimum.

FIG. 12 is a representation vector 1200 of an ICMP data unit. The representation vector 1200 may include fields for the layer-2 protocol type 1210, the layer 3 protocol type 1212, the type of IP service 1214, the source IP address 1216, the destination IP address 1218, ICMP type code 1220, a stuffing bit 1222, and the data unit size 1224. The representation vector 1200 may be 128 bits wide. The size of the representation vector may vary in various implementations based on the information to be captured and other reasons, such as CPU word size, available memory for storage, and others. The representation vector 1200 is shown with designated 32-bit portions because a processor on a network card or a processor executing software to achieve the techniques described herein may have a 32-bit word. Other processors having other size words (e.g., 8, 16, 64 and others) may also be used.

The representation vector 1200 shown depicts an example a IP version 4 ICMP data unit sent from IP address 10.0.0.1 to IP address 10.0.0.3, using a standard IP type of service. In this example, layer 2 protocol type is IP v4 with the hexadecimal code 0x0800, and the layer 3 protocol type is 1 representing ICMP.

Closing Comments

Throughout this description, the embodiments and examples shown should be considered as exemplars, rather than limitations on the systems and methods disclosed or claimed. Although many of the examples presented herein involve specific combinations of method acts or system elements, it should be understood that those acts and those elements may be combined in other ways to accomplish the same objectives. With regard to flowcharts, additional and fewer steps may be taken, and the steps as shown may be combined or further refined to achieve the methods described herein. Acts, elements and features discussed only in connection with one embodiment are not intended to be excluded from a similar role in other embodiments.

As used herein, “plurality” means two or more. As used herein, a “set” of items may include one or more of such items. As used herein, whether in the written description or the claims, the terms “comprising”, “including”, “carrying”, “having”, “containing”, “involving”, and the like are to be understood to be open-ended, i.e., to mean including but not limited to. Only the transitional phrases “consisting of” and “consisting essentially of”, respectively, are closed or semi-closed transitional phrases with respect to claims. Use of ordinal terms such as “first”, “second”, “third”, etc., in the claims to modify a claim element does not by itself connote any priority, precedence, or order of one claim element over another or the temporal order in which acts of a method are performed, but are used merely as labels to distinguish one claim element having a certain name from another element having a same name (but for use of the ordinal term) to distinguish the claim elements. As used herein, “and/or” means that the listed items are alternatives, but the alternatives also include any combination of the listed items. 

1. A system to automatically generate outgoing network traffic based on observed production network traffic, the system comprising at least one network card, the network card including at least one processor and memory, the system further comprising: a data collector to automatically capture production network traffic and to compile network traffic data based on the captured production network traffic, wherein the data collector includes at least one data collection unit for each of a plurality of communications protocols supported by the system, wherein the network traffic data includes at least two of distribution data comprising at least one of protocol distribution data, length distribution data, and transaction distribution header information comprising at least one of a group of most common addresses, a group of most common ports, and most common header data payload data a characterization engine to receive the production network traffic and the network traffic data from the data collector and to automatically prepare network traffic characterization data based on the production network traffic and the network traffic data, the network traffic characterization data including at least two of statistical indicators, a traffic model and traffic profile data a script generator to receive the network traffic characterization data from the characterization engine and to automatically prepare scripts based on the network traffic characterization data, wherein the script generator includes at least one script generation unit for each of the plurality of communications protocols supported by the system a traffic generator to automatically generate outgoing test network traffic based on the scripts, wherein the traffic generator includes at least one traffic generation unit for each of the plurality of communications protocols supported by the system.
 2. The system of claim 1 further comprising: a feedback unit included in the characterization engine, the feedback unit to communicate with the data collector to automatically adjust the network traffic data compiled based on earlier captured production network traffic including successively refining the network traffic data compiled.
 3. The system of claim 1 wherein the characterization engine comprises a sort and statistics engine to prepare the statistical indicators based on the network traffic data a modeling engine to prepare the traffic model based on the statistical indicators a traffic profiler to generate the traffic profile data based on the traffic model and traffic mix profiles stored by the system.
 4. The system of claim 1 wherein the collector is configured to filter the network traffic based on filters that are at least one of user defined and system defined.
 5. The system of claim 1 wherein the collector is configured to translate the network traffic based on uniform format requirements.
 6. The system of claim 1 further comprising: a manager coupled with at least the data collector and the characterization engine, the manager to obtain statistical data from at least one of the data collector and the characterization engine and to provide an interface to allow a user to view information about the captured network traffic, including providing at least one of reports, log files, charts, and graphs showing at least one of the network traffic characterization data and the statistical data.
 7. The system of claim 3 wherein the characterization engine includes a model-tweaking unit to allow a user to edit the traffic model.
 8. The system of claim 3 wherein the characterization engine includes a profile-editing unit to allow a user to edit the traffic profile data.
 9. The system of claim 1 wherein the plurality of communications protocols include at least one selected from the group including Ethernet, User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Hypertext Transfer Protocol (HTTP).
 10. A method to automatically generate outgoing network traffic based on observed production network traffic, the method performed by a network testing system, the method comprising: the network testing system capturing production network traffic, wherein the production network traffic includes a plurality of data units adhering to a plurality of communications protocols the network testing system compiling network traffic data based on the captured production network traffic, the network traffic data including at least two of distribution data comprising at least one of protocol distribution data, length distribution data, and transaction distribution data header information comprising at least one of a group of most common addresses, a group of most common ports, and most common header data payload data the network testing system preparing network traffic characterization data based on the production network traffic and the network traffic data, the network traffic characterization data including at least two of statistical indicators, a traffic model and traffic profile data the network testing system generating scripts based on the network traffic characterization data the network testing system generating outgoing test network traffic based on the scripts, wherein the outgoing test network traffic includes a plurality of data units adhering to at least one of the plurality of communications protocols.
 11. The method of claim 10 further comprising: the network testing system automatically adjusting the network traffic data compiled based on earlier captured production network traffic including successively refining the network traffic data compiled.
 12. The method of claim 10 wherein the network testing system preparing network traffic characterization data includes the network testing system preparing the statistical indicators based on the network traffic data the network testing system preparing the traffic model based on the statistical indicators the network testing system generating the traffic profile data based on the traffic model and system provided traffic mix profiles.
 13. The method of claim 10 wherein the network testing system capturing network traffic comprises the network testing system filtering the network traffic based on filters the network testing system compiling network traffic data comprises the network testing system translating the network traffic based on uniform format requirements.
 14. The method of claim 10 wherein the plurality of communications protocols includes at least one selected from the group including Ethernet, User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Hypertext Transfer Protocol (HTTP).
 15. A machine readable medium having instructions stored thereon which when executed cause a network testing system to perform operations comprising: capturing production network traffic, wherein the production network traffic includes a plurality of data units adhering to a plurality of communications protocols compiling network traffic data based on the production network traffic, the network traffic data including distribution data comprising at least one of protocol distribution data, length distribution data, and transaction distribution data header information comprising at least one of a group of most common addresses, a group of most common ports, and most common header data payload data preparing network traffic characterization data based on the production network traffic and the network traffic data, the network traffic characterization data including at least two of statistical indicators, a traffic model and traffic profile data generating scripts based on the network traffic characterization data generating outgoing test network traffic based on the scripts, wherein the outgoing test network traffic includes a plurality of data units adhering to at least one of the plurality of communications protocols.
 16. The machine readable medium of claim 15 having further instructions which when executed cause the network testing system to perform further operations comprising: automatically adjusting the network traffic data compiled based on earlier captured production network traffic, including successively refining the network traffic data compiled.
 17. The machine readable medium of claim 15 wherein preparing network traffic characterization data includes preparing the statistical indicators based on the network traffic data preparing the traffic model based on the statistical indicators generating the traffic profile data based on the traffic model and system provided traffic mix profiles.
 18. The machine readable medium of claim 15 wherein the capturing network traffic comprises filtering the network traffic based on filters the compiling network traffic data comprises translating the network traffic based on uniform format requirements.
 19. The machine readable medium of claim 15 wherein the plurality of communications protocols includes at least one selected from the group including Ethernet, User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Hypertext Transfer Protocol (HTTP). 